Now that we have a basic database of information that we can use later on, we need a way of practicing our exploitation techniques (and eventually our protection techniques) on a web application. Luckily, there is a solution called "Damn Vulnerable Web App." DVWA is a PHP/mySQL environment that is designed with test pages and configuration that can make it purposefully vulnerable to a number of attack vectors. We will be installing it in order to eventually protect against the attacks, but also to attack (and learn).
DVWA can be downloaded at the projects home page: http://www.dvwa.co.uk/. From the Fedora machine, download and extract the ZIP file from the download page. Next, the files need to be moved into the web directory. (If you don't have an Apache/PHP/mySQL server configured, please return to part two).
I will be using root for this exercise. I want to make the application as vulnerable as possible and running as root will increase our chances for exploitation.
[root@localhost current_dir]# mv dvwa /var/www/html
Next, we need to issue the following command:
setsebool -P httpd_read_user_content 1
Now, in the web browser, navigate to your site's address / dvwa. You'll see the following error:
Click the link to setup your database. Click the "Create/Reset Database" button. If it was successful, you should see:
If you search in your mySQL database via command line or phpMyAdmin, you should now see a "dvwa" database.
If you return to /dvwa in your browser, you'll be presented with a login screen. The default login is:
Now that DVWA is installed, we need to edit some configuration files so that it can be as insecure as possible. PHP version 5.2.6+ will prevent most mySQL injection attacks. So we need to change the configuration to allow them (most PHP websites are a version or so behind, so it is safe to assume that a majority of sites are still vulnerable, despite a newer version of PHP).
In the HTML directory of /var/www, type:
Then, type the following into the file:
magic_quotes_gpc = Off
allow_url_fopen = On
allow_url_include = On
Then save and exit.
Next in the Series
Next I will be using the DVWA setup to test some common vulnerabilities such as XSS and mySQL injection. Following that, I will be installing a web application firewall in front of the application to determine how such a configuration can help protect against exploitation.